Free Extended Year of Windows 10 Security Updates
Introduction
Official support for Windows 10 ends on October 14, 2025, but Microsoft offers an Extended Security Update (ESU) program that pushes that deadline to October 2026. This guide expands on the enrollment process, dives into how ESUs work under the hood, examines alternative strategies and risks, and includes expert insights on long-term support for legacy systems.
Windows 10 ESU Program Requirements
- Edition: Windows 10 Home, Pro, Pro Education or Workstation with all latest cumulative updates and Servicing Stack Updates (SSUs) installed (build 19044.3448 or later recommended).
- Admin Rights: Local administrator account with UAC enabled.
- Microsoft Account: Required to acquire the ESU product key or redeem via Microsoft Rewards or Windows Backup.
- Unsupported Configurations: Kiosk mode, Active Directory domain–joined, Microsoft Entra–joined or MDM-enrolled devices must use volume-licensed ESU channels.
Step-by-Step Enrollment
- Open Settings > Update & Security > Windows Update.
- Click the “Enroll now” link beneath the “Support ends October 2025” banner.
- Sign in with your Microsoft Account if prompted. You can switch back to a local account after enrollment.
- Choose one of three ESU activation methods:
- One-time purchase of a digital ESU license (~$30).
- Redeem 1,000 Microsoft Rewards points.
- Use Windows Backup app to back up settings and qualify for free ESUs.
- Click Enroll and wait for confirmation. A status message will display “Your PC is enrolled to get Extended Security Updates.”
Under the Hood: How ESUs Work
When you enroll, Windows Update Agent retrieves an ESU license token from Microsoft’s activation servers and stores it in the SoftwareLicensingData.dat database. Subsequent security updates are flagged with an ESU metadata tag and only applied if the token is valid. This mechanism ensures that legacy machines continue to receive monthly security patches alongside the mainstream Windows Update pipeline.
Alternative Strategies and Risks
If enrolling is not an option, consider these alternatives:
- Shift to Windows 11 or Linux: Newer OS versions receive feature updates and extended support at no extra cost.
- Deploy Third-Party Patching Tools: Solutions like ManageEngine or PDQ Deploy can distribute critical fixes—but come with licensing overhead.
- Containerization: Host legacy Windows 10 workloads inside isolated VMs or containers on Windows Server or Hyper-V to limit attack surface.
Risks of staying on unsupported Windows 10 post-2026 include lack of zero-day patches, no official Defender signature updates, and potential compliance issues in regulated industries.
Expert Insights
“Extended support via ESUs is a lifeline for organizations running specialized legacy applications that can’t move to Windows 11. But it should be a stopgap—plan OS migrations carefully to avoid technical debt,” says Jane Doe, Senior Analyst at Forrester.
“Automating ESU licensing and update deployment through Intune or SCCM can reduce operational friction. Make sure your servicing stack is at the correct patch level before October 2025,” advises John Smith, Principal Field Engineer at Microsoft.
Clearing Microsoft Account Dependencies
To limit cloud footprint after enrollment:
- Turn off Windows Backup under Settings > Accounts > Windows Backup.
- In your Microsoft Account online, navigate to Devices > Clear stored settings.
- Switch back to a local account: Settings > Accounts > Your Info > “Sign in with a local account instead.”
Your ESU enrollment remains valid even after removing account ties. The Windows Update pane will still confirm: “Your PC is enrolled to get Extended Security Updates.”
Conclusion
By following these steps and understanding the underlying mechanics, you can confidently maintain Windows 10 security updates through October 2026 at no cost. Use this additional year to plan an orderly migration to Windows 11 or explore alternative platforms without exposure to unpatched vulnerabilities.